CVE-2020-5000

CWE-79 — Cross-site Scripting (XSS)CWE-20 — Improper Input Validation CWE-203 CWE-798 — Hard-coded Credentials CWE-918 — Server-Side Request Forgery (SSRF)CWE-40433 documents10 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 56.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Financial Transaction Manager

Timeline

PublishedJun 15

Latest updateMay 24

Description

IBM Financial Transaction Manager 3.2.0 through 3.2.8 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192952.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5ibm/financial_transaction_manager3.2.0 — 3.2.8

▶NVDibm/financial_transaction_manager3.0.2, 3.2.4+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-xv9g-pwqj-hpwc: IBM Financial Transaction Manager 3↗2022-05-24

▶

CVEList

CVE-2020-5000: IBM Financial Transaction Manager 3↗2021-06-15

▶

GHSA

Server-side Request Forgery (SSRF) via img tags in reportlab↗2021-03-29

▶

💥Exploits & PoCs

Exploit-DB

BearFTP 0.1.0 - 'PASV' Denial of Service↗2020-02-03

▶

Exploit-DB

PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution↗2020-01-10

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2021-30532↗2021-05-25

▶

Chrome

Stable Channel Update for Desktop: CVE-2021-21228↗2021-04-26

▶

Chrome

Stable Channel Update for Desktop: CVE-2021-21168↗2021-03-02

▶

Red Hat

python-reportlab: Server-side request forgery via img tags↗2021-02-18

▶

Chrome

Stable Channel Update for Desktop: CVE-2021-21145↗2021-02-02

▶